afongen

The chapter page on the OWASP web site seems to be strangely difficult to get updated, so let me spread the word here.

The November meeting of the Twin Cities OWASP chapter has been scheduled for next Tuesday, November 8, at the Golden Valley Library. The library is a block or two north of the intersection of Winnetka and Highway 55, at 830 Winnetka Avenue. (map) We will meet from 6 to 7:45 PM.

This month, Gunnar Peterson will head up the agenda with a report on the OWASP App Sec Conference, and a recap of his presentation there on “Integrating Identity into Web Applications: Overview of issues and risks related to identity services in web and n tier applications.”

I recently finished Bruce Tate’s Beyond Java, a book every Java programmer should read. Especially those who havent worked much with other languages. I should say right now that I probably feel this way because it validates much of what I’ve been arguing from years, from the perspective of someone deep inside the Java world.

Recent comments here should make it clear that Java and I aren’t exactly on speaking terms. It isn’t so much the language as all the deadwood that’s built up around it. A coworker and I recently spent a day reorganizing a legacy codebase so we could use Eclipse as an actual IDE instead of just a big, slow text editor. About half the day was spent figuring out the XDoclet used to build the app. And it dawned on me: we’re using XDoclet to generate all this code that doesn’t contribute meaningfully to the application, but rather is required scaffolding to maintain the EJB framework. Code generation has its point, but when you have to then maintain that code … ugh. I’m watching my team struggle to produce web apps in a timely fashion, held back not by the difficulty of business problems, but by the bulk and complexity of J2EE programming. We spend more time in care and feeding of the framework than we do writing application code. That just doesn’t seem right.

Bruce Tate makes a convincing argument that Java is at a point where it can either rally its forces and continue on with renewed vigor, or be overtaken by a new contender(s) with programming models that support more rapid development and match business and programming needs more closely. He doesn’t seem all that hopeful for Java.

Tate is almost reluctant in this. Java has been good to him. A best-selling author with a successful consultancy, he is very much at home in the Java world. So to give Java its fair due, he walks us through its history, identifying the roots of its early success: wooing C and C++ programmers to a better programming experience. But now, he argues, Java is moving away from its base, expanding in strange and poorly planned directions (e.g. generics — perhaps useful, but poorly implemented), growing an ever-larger stack of technologies necessary to even function as a Java programmer. Java is effective for system or middleware programming, but failing as a language for writing applications. Other languages — Python, Ruby — are gaining popularity because they let programmers do their jobs faster, better, writing less code to do more.

He points out what still surprises many programmers: while we discover that dynamic typing is quite effective and not that dangerous, the changes made to Java only reinforce static typing (e.g. generics). I, for one, am tired of spending my time worrying about such details that do not demonstrably contribute to the effectiveness, correctness, or functionality of my apps. Static typing ain’t it.

To supplement his own arguments, Tate includes interviews with Java luminaries who are moving away from the platform or who at least take serious issue with some of the sacred cows of the Java world. I was particularly tickled by the inclusion of James Duncan Davidson, who brought us both Tomcat and Ant — and no longer works with Java. Steve Yegge’s explanation of how he took months off from development to figure out what was slowing him down, to discover that it was Java itself.

(Elsewhere, David Geary of JSF fame identifes several Java “connectors and mavens” who have adopted Rails. Worth noting by those who would dismiss the hype.)

The concluding chapters explore what Tate thinks might characterize languages that steal Java’s thunder, paying close attention to Ruby, Ruby on Rails, and continuation servers like Seaside (which I’d never heard of but which intrigue me). He dismisses Perl and PHP for what I agree to be mostly valid reasons, though I think he’s a bit harsh on PHP and has misconceptions about best practices in PHP programming models.

I devoured this book and immediately reread it. I am serious: if you are a Java programmer, you should read it. Obviously Java will not disappear from the landscape anytime soon, but I believe that it’s important to understand its limitations and frustrations, and why other languages are starting to eat away at its foundation. Otherwise you’re likely to end up like one of the cranky COBOL programmers, wondering what all the fuss is about this upstart 10-year-old. :)

That didn’t take long. Just a few days after I decided to learn Python before Ruby, I changed my mind and went with Ruby. Garrick told me that a Ruby user group was starting up in town, and that happy news pushed me over the edge. I’ve spent odd moments and bus rides in the past week reading the PickAxe book, and my gut feeling was right: Ruby feels right to me, like meeting an old friend, like coming home. I’m excited to dig into it with gusto, and anxious to try Ruby on Rails.

Rails is easy enough to set up, but the usual way of doing so is to use RubyGems — which doesn’t work right on my iBook running Jaguar (OS X 10.2). No, compiling a new ruby hasn’t helped, though the problem does seem to be at the ruby core level. The obvious choices are either to get Tiger (OS X 10.4), which I’ve been putting off until I buy a new laptop, or to install Rails by hand. I’m not sure right now which way I’ll go.

To celebrate my introduction to Ruby, on Wednesday night I went to the inaugural meeting of the Twin Cities Ruby user group (still working on a name. People were enthused about “MSP Ruby Brigade”). The organizers expected maybe a half-dozen people. Three times that showed up. Not bad for last-minute word-of-mouth! Easily half the people in attendance work with Java in their day job; most of us are less than thrilled about it. At least two there contribute to JRuby, working to get a ruby interpreter in the JVM. A really sharp group of people. I walked away from the meeting even more excited about Ruby than when I arrived.

What about Python? I’ll get back to it. I still do want to try Django, and the few days that I spent with Python whetted my appetite. I’m just more excited about Ruby right now.

Shreeraj Shah has just published Assessing Web App Security with Mozilla over on ONLamp.com. It’s really more about introducing LiveHTTPHeaders than the guts of a security assessment, but it does point the way. Not unlike the talk I gave at this spring’s MnSCU IT conference (handouts). I like LiveHTTPHeaders for just this purpose, I use it all the time. (In fact, I used it just yesterday when reviewing PHPSurveyor, an app that has its share of problems.) More and more, though, I find that I’m using Fiddler, at least when I’m on a Windows box and don’t have to deal with HTTPS. Fiddler offers a lot of detail that I find useful.

Still, I do fire up LiveHTTPHeaders when I just need a quick overview of what’s happening and want to manipulate requests. I also use it to introduce developers to HTTP. Too often I find that developers don’t have a solid understanding of HTTP basics, which has a direct impact on their ability to write secure web applications.

LiveHTTPHeaders is a fine tool, and Shreeraj Shah’s article is a good introduction. If you’ve never used it, a few minutes reading that will get you started and point you in the right direction. And maybe give you a little insight into the sorts of things an attacker can do quite easily.

I’ve taken up Python again. I quickly taught myself Python a few years ago, learning just enough to become enamored with the language before neglect drove it from my brain. I love its brevity, its elegance. I once fooled myself into thinking that Jython would be handy, offering the complete Java API through Python, but right now Java and I aren’t getting along, so that’s not too interesting anymore. So what brings me back to Python? Django and TurboGears, two Python web frameworks that stand to make me more productive with less code. Even if it’s just for fun and I never get the chance to use this stuff at work, I don’t care. I want to hack again.

What about Ruby on Rails? Don’t worry, that’s coming. I like what I see in Ruby — a lot — and it’s just become too hard to ignore Rails. I tried for a while, mostly because the hype factor turned me off, but a closer look at Ruby and a better understanding of what Rails is all about helped me get over that particular prejudice. RubyRails certainly reflects some worthwhile ideas, and I just can’t argue with the productivity it offers.

I wrestled with deciding whether to take up Ruby before Python, but opted for Python because I was afraid that if I started with Ruby it would be months before I returned to Python. My gut is telling me that I’m going to be much more at home in Ruby. Since part of why I’m learning these languages is to expose myself to different ways of thinking, I decided first to learn Python and see how that takes.

Still, Ruby beckons. I figure I’ll pick up the Pickaxe in a couple weeks.

I used to be a runner. I started when I was nine years old, and kept at it diligently almost all the way through high school. I can’t imagine that now: how many fourth graders do you know who take up long distance running for fun? By high school I’d developed an unfortunate habit of running at night, through areas that weren’t very well lit: wooded, hilly trails around the lake. (Or maybe it wasn’t so unfortunate, since it meant that I often got to stop by my friend Faye’s house for some late-night lasagna. :) One night, though, I stepped in a hole — that happens sometimes when you can’t see the ground in front of you — and hurt my ankle badly enough to keep me out of running for about six weeks. By the time I was physically able to run again, I discovered that I was no longer interested. It just didn’t do it for me anymore: I was no longer a runner at heart. So I stopped.

Two weeks ago, overweight and out of shape, I started to think about running again. I’d take it slow, ramp up to some more serious effort when the coming winter fades. I had just decided to go buy a pair of shoes when I sprained my ankle. Okay, maybe I shouldn’t start running quite yet. After a couple weeks my ankle starts to heal, I finally start walking on it comfortably again, maybe start thinking about looking at those shoes soon — knowing full well that it will be a few weeks before the ankle is strong enough to run on — and bam! The ankle goes out again. It seems that Something is telling me that I should have taken the hint in high school: I Am Not a Runner.

I was all ready to except the cosmic omen explanation, but then today it happened again, this time about as bad as the sprain two weeks ago. At no time today or yesterday did I give any serious consideration to buying shoes. So that’s probably not it. On the other hand, this time I did call a doctor. Appointment’s later this morning. Hopefully I can make it there. :)

Microsoft have released a beta version of an Internet Explorer Developer Toolbar. A very nice complement to the ever-essential Mozilla DOM inspector and Chris Pederick’s Web Developer extension. I’ve often wanted something like this when I’m working in IE, now it’s here.

At Tuesday’s OWASP Twin Cities meeting, I learned that DHS is about to launch a new software security portal, BuildSecurityIn. An article in a recent IEEE Security & Privacy magazine describes the portal. I don’t subscribe so will be hitting the library this weekend to find what I can before this thing goes live.

Tuesday night I went to the first meeting of the Twin Cities chapter of the Open Web Application Security Project (OWASP). We’ll be meeting the second Tuesday of every month. It’s too early to tell how successful the group will be, but the people there seem dedicated, so I am hopeful.

In attendance was Gunnar Peterson, whose articles on a collaborative secure development process (PDF: parts one, two, three) introduced me to misuse cases and, eventually, threat modeling. Interestingly, of the 10-12 people there, I was the only developer. Everyone else was a security analyst, architect, or consultant. This defied my expectations but not theirs. The developer blogs I read deal with security and build an impression that developers are more concerned with security than is generally the case. Of course, I seek out those blogs in part because they have interesting things to say about security, so that misleading impression is only natural. The developers I work with give consideration to security, but probably not as much as I’d like to think and certainly not enough to drag them out to the Golden Valley library on a Tuesday night. I think, then, that I need to evangelize the new OWASP chapter to the developer communities in which I participate. This will likely mean having meetings on topics of interest to them.

Gunnar brought up a good point, that so often security teams (which have historically been network-focused) point at developers for security problems, but we musn’t forget the architects, who obviously need to consider security as part of the software architecture. This underscores a point that many of us have been saying for years: security needs to be incorporated throughout the development cycle of an app. That’s what Microsoft’s Security Development Lifecycle is all about, and from everything I’ve heard they’re really taking it to heart.

I’d like to find ways to get involvement in OWASP from all sorts of different groups involved in software development, not only to emphasize the importance of security in those areas, but to learn about these other fields and make connections outside my immediate arena. Software development fascinates me, and not just programming. That’s why I distinguish between “developer” and “programmer”: to focus exclusively in one area is a death knell for my passion, my career, and perhaps my sanity. This is part of why I’ve started to be more active in local industry groups like the OWASP chapter. I’m a security-focused web application developer with a penchant for open source and open processes, so it’s no surprise that OWASP appeals to me.

I volunteered to give a presentation about the OWASP Top Ten at our next meeting. It’s a good introduction to the issues in web application security, of interest to developers, architects, analysts, testers… anyone involved in web application development and deployment. I’ve given this talk a couple times before, but this time I have some new ideas for presenting the material. So come on out! Tell your friends! We’ll be at the Golden Valley Library a to-be-determined location on Tuesday, October 11, 6 – 8 p.m. Hope you can make it.

Update: I’ve been told that the library was already booked, so a new location for October’s meeting is being sought. Check the OWASP Twin Cities page for updates.

Update, 8 October. Tuesday’s meeting is at the Plymouth Public Library, 6 – 8 p.m.

When we bought our house last fall, we chose Comcast for phone and internet service. At first we weren’t even going to get a land line and just rely on our cell phones, but after Kiara locked her phone in the garage, we decided that for safety’s sake we should have a land line. We would have gone with Qwest, since it’s a bit cheaper and DSL is fast enough for our needs, but no one we talked to at Qwest could find our address in the system, so they couldn’t even provide phone service. Never mind that the house has been there fifty years and Qwest provided service to the previous owners, we weren’t in the system and that’s that.

So Comcast seemed the obvious choice, both for phone and internet (we didn’t want cable TV). A few dollars more expensive, but faster — and they acknowledge the presence of our house. And tech support was phenomenal the few times I needed to call it, even when they were obviously disappointed and confused by my using a Mac. Really, I felt upbeat after every call. How often does that happen with tech support?

And we were pleased. For a few months, at any rate. Then small annoyances started to add up. We would be without internet service for hours, sometimes days with neither notice nor explanation. No, that’s not entirely true: whenever I called, I’d be told it was scheduled downtime. That lasted for days. Downtime happens, I know, but there was an awful lot of it “scheduled.” And although I never used the Comcast email address, we got a lot of spam sent to it.

We were also disappointed with the phone number we’d been given. Whoever had had it before, apparently just a few weeks before we inherited it, left a lot of unpaid debts. I kid you not, easily 90% of the phone calls we got were not for us, they were collection agencies after this guy. We just stopped answering the phone. Had we stayed with Comcast, we would have a new phone number, no question, but is it just a coincidence that a coworker who also used Comcast for phone service had the same problem? Probably, but it’s an odd one.

This spring, Qwest found our house in their system, and we dropped Comcast right away. We didn’t and don’t expect that Qwest service will be that much better, but so far it’s been fine. No unexpected — excuse me, scheduled outages. My coworkers are aghast that I’d go with DSL over cable modem because it’s slower, but I’ve rarely found that to be a problem. Right now I’m more hampered by the flaky wireless on the laptop than anything else. We’re content with Qwest, and we’ll stick with ’em for a while. I’m in no hurry to change my phone number again, and now the phone works even if we lose power. :-)

A few days ago, Comcast nailed the lid on the coffin. They sent a bill for long distance calls made in late July and August. There are two problems with this:

1. We never had long distance service with them. Our cell phone plans offer that for “free”, so we chose only local service with Comcast.
2. We cancelled our service on April 27!

Billed for calls we obviously never made. The guy I talked to at Comcast was as confused as I. He couldn’t even see that I’d been billed at all, or had any charges on my account. Great. So I’m ignoring the bill for now, and hoping that the customer service guy really did make notes on my account. With my luck, I can just see this going to collections because their accounting system is frelled.